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1.  Introduction 


1.1  Overview 

Visualization  in  general  is  a  particular  method  of  interest  being  explored  to  aid  the  end  users’ 
environment  to  enable  more  analysis  that  is  effective.  It  is  also  used  to  increase  the  overall 
perfonnance  in  user  friendliness  and  interaction  with  the  device.  This  report  presents  a 
technology  assessment  of  the  current  available  visualization  tools  that  can  be  used  to  enhance 
accuracy,  communication,  and  performance  of  the  analyst’s  process  of  identifying  cyber  attacks 
with  anomaly-based  Intrusion  Detection  Systems  (IDS).  The  goal  of  this  assessment  is  to  provide 
a  list  of  visualization  tools  for  the  developers  that  may  integrate  in  ensemble  with  other 
techniques  making  the  overall  IDS  system  more  deployable. 

There  are  well  over  one  hundred  visualization  tools  currently  available.  We  used  the  following 
metrics  to  select  which  tools  would  be  most  applicable  to  the  cyber  security  domain: 

•  Relevance  to  network  security 

•  Breadth  of  visual  techniques 

•  Ease-of-use 

•  Ability  to  answer  the  concerns  of  end  users 

This  resulted  in  a  final  list  of  59  visualization  tools  to  analyze.  We  reviewed  and  grouped  the 
selected  59  visualization  tools  into  the  following  categories  of  visualization  needs  for  analyst 
tasks: 


•  Predevelopment 

•  Monitoring 

•  Analysis 

•  Response 

•  Future  Development 

The  analysis  recommends  and  proposes  the  use  of  visualization  tools  that  best  meet  the 
requirements  and  specifications  of  the  end  users  within  the  five  categories.  Here  the  end  users  are 
a  targeted  audience  composed  of  decision  makers,  analysts,  other  end  users,  and  a  special  interest 
group  at  the  U.S.  Anny  Research  Laboratory  (ARL). 

Anyone  involved  in  the  various  aspects  of  cyber  security  especially  those  that  are  decision  driven 
such  as  analysts  tasks  should  be  interested  in  our  findings.  Use  of  this  visualization  tools 
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assessment  is  necessary  to  improve  the  user  interface  or  user  environment  that  the  analysts 
interact  with  to  detect  and  prevent  attacks  on  cyber  networks.  Having  this  infonnation  enables 
better  situational  awareness  for  the  entire  network  security  community  and  knowledge 
superiority  in  the  cyber  domain.  Furthermore,  this  assessment  aids  network  and  communication 
sciences  by  developing  an  ensemble  of  techniques  that  allow  the  user  interface  to  provide  better 
information  assurance. 

1.2  Intrusion  Detection  Systems  (IDS) 

IDS  aim  at  detecting  attacks  against  computer  systems  and  networks  or,  in  general,  against 
infonnation  systems  (7 ).  It  acquires  knowledge  about  an  information  system  in  order  to  perform 
analysis  on  its  security  status.  It  is  important  to  note  that  there  are  two  general  types  of  IDS: 
knowledge-based  and  behavior-based.  Knowledge-based  IDS  is  often  referred  to  as  “misuse 
detection”  (2,  3)  or  detection  by  appearance  ( 4 ).  A  knowledge-based  IDS  is  designed  to  collect 
network  infonnation  and  sift  through  the  collected  data  for  evidence  of  exploitation,  command, 
and  control.  In  the  same  fashion,  behavior-based  IDS  is  also  known  as  anomaly  detection  ( 4 )  or 
detection  by  behavior  and  its  focus  is  on  creating  a  model  of  usual  behavior  for  the  information 
system  being  monitored  while  observing  any  deviation  from  the  model  for  further  investigation. 

Some  other  IDS  are  signature-based,  host-based,  network-based,  and  graph-based.  Signature- 
based  IDS  decides  in  advance  what  type  of  behavior  is  undesirable  according  to  the  use  of 
known  set  behaviors  and  detected  intrusions  (5).  Host-based  was  the  first  IDS  ever  designed  to 
audit  information  provided  by  a  mainframe  ( 6 ).  It  performed  its  audit  locally  or  on  separate 
machines  (6).  A  shift  in  computing  from  mainframe  environments  to  distributed  workstation 
networks  was  the  cause  for  seeking  better  IDSs  (2).  Out  of  this  came  the  Distributed  IDS  (DIDS) 
that  is  the  hybrid  approach  to  using  both  network-based  and  host-based  intrusion  detection  (ID) 
tools  for  a  multihost  environment  (P).  Network-based  IDS  is  the  design  philosophy  of  mining 
network  traffic  at  the  network  level,  auditing  packet  infonnation,  and  logging  any  suspicious 
packets,  connections,  or  sessions  into  a  special  log  file  with  extended  information  (3).  Graph- 
based  IDS  (GrIDS)  is  designed  to  detect  large-scale  automated  attacks  on  network  systems.  It 
puts  together  reports  of  incidents  and  network  traffic  into  graphs,  and  is  able  to  aggregate  those 
graphs  into  simpler  forms  at  higher  levels  of  the  hierarchy  (P). 

The  known  existing  issues  with  anomaly-based  IDS  include  the  tendency  to  consume  data 
processing  resources,  the  possibility  of  an  attacker  teaching  the  system  that  illegitimate  activities 
are  ordinary  or  regular  (5).  Similar  known  IDS  issues  ( 1 ,  77)  contribute  to  the  limit  of  employed 
anomaly-based  IDS  for  the  past  25  years.  The  idea  for  IDS  was  first  introduced  in  1987  by 
Dorothy  Denning  (72)  and  many  still  focus  on  the  development  of  deployable  anomaly-based 
IDS.  With  this  mission,  comes  the  question  of  how  to  interpret  the  infonnation  outputted  to  the 
end  user  by  the  anomaly-based  IDS?  Therefore,  one  method  to  address  this  mission  is  to  use 
visualization  and  or  visualization  techniques. 
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The  goal  of  an  IDS  is  to  properly  characterize  attack  behaviors  to  positively  identify  all  true 
attacks  without  falsely  identifying  nonattacks  (13)  meaning  that  the  true  positives  are  increased 
while  the  false  positive  rate  is  decreased.  Therefore,  it  is  best  to  consider  both  views  of  an  attack 
situation  on  a  network  system  where  its  data  may  be  affected.  From  an  attack  victim’s  view,  the 
following  are  the  major  concerns: 

•  Where  and  when  did  the  intrusion  originate? 

•  What  happened? 

•  How  and  why  did  the  intrusion  happen? 

•  Who  is  affected  and  how? 

•  Who  is  the  intruder? 

From  the  attacker’s  view,  the  following  are  major  concerns: 

•  What  is  my  objective? 

•  What  vulnerabilities  exist  in  the  target  system? 

•  What  damage  or  other  consequences  are  likely? 

•  What  exploit  scripts  or  other  attack  tools  are  available? 

•  What  is  my  risk  of  exposure? 

1.3  Visualization 

The  design  of  visualization  techniques  for  the  exploration,  analysis,  and  situational  awareness  of 
network  events  has  become  a  significant  focus  of  researchers  as  they  attempt  to  deal  with  the 
sheer  volume  and  complexity  of  the  data  (13).  This  has  resulted  in  two  cognitive  task  analysis 
(15,  16)  examining  the  needs  and  requirements  of  network  analysts  and  managers.  In  reference 
15,  the  study  used  event-related  functional  magnetic  resonance  imaging  (fMRI)  to  study  the 
pattern  of  activation  during  four  distinct  stages  in  the  performance  of  the  Wisconsin  Card  Sorting 
Task  (WCST).  Ellis  et  al.  (16)  conducted  an  explorative  analysis  on  user  evaluation  studies  that 
use  infonnation  visualization.  They  found  that  an  empirical  evaluation  of  visualizations  alone  is 
methodologically  unsound  because  of  its  generative  nature.  Their  results  do  show  that  empirical 
evaluations  used  in  conjunction  with  reasoned  justification  leads  to  a  more  reliable  validation  of 
the  visualization.  This  direction  of  research  has  resulted  in  the  development  of  enumerable 
visualization  techniques.  The  entire  community,  Visualization  Security  (VizSec)  (17)  has  been 
fonned  around  the  research  task  of  visually  analyzing  and  monitoring  network  data,  which  is 
usually  reviewed  at  their  yearly  conference. 

Visualization  has  a  history  of  being  nondeployable,  ineffective,  and  obfuscating  especially  for 
the  analyst,  our  end  user.  The  overall  goal  with  using  visualization  tools  and  techniques  is  to 
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integrate  them  with  interaction  techniques  effective  for  large-scale  databases  to  analyze  the  data 
and  identify  sophisticated  attacks  within  the  arriving  data  (18).  We  plan  to  explore  current 
computer-graphics  interaction  techniques  via  input  displays.  Furthennore,  visualization  is  to  be 
used  in  ensemble  with  other  techniques  that  will  reduce  the  effect  of  having  the  false  positive 
rates  increasing  faster  than  the  true  positive  rates  that  will  in  turn  make  anomaly  detection  more 
deployable  (19). 

Visualization  for  ID  can  help  a  security  administrator  to  recognize  abnonnal  behavior  in  an 
intuitional  manner.  Visualization  of  ID  can  enable  better  analysis  and  response  because  an 
intrusion  is  recognized  intuitionally.  Therefore,  it  can  overcome  alert  flooding.  Most  ID  methods 
with  visualization  are  anomaly-based  detection  methods  and  visualize  audit  data  rather  than  the 
alert  itself  (20).  The  host-based  visualization  method  for  ID  is  to  leam  normal  states  of 
commands  or  programs  that  is  achieved  by  the  user  and  compares  audit  data  with  profiles  for 
visualization. 

Network-based  visualization  method  used  for  ID  expresses  the  source  address,  destination 
address  and  port  number,  and  so  forth,  of  the  network’s  packets  by  visual  graph  (20,  21).  They 
detect  an  intrusion  when  an  attack  differs  from  graph  characteristic  with  normal  state  and  extract 
diagnostic  features  of  attack  for  embodying  anomaly  detection.  However,  these  methods  do  not 
visualize  alerts  but  visualize  audit  data.  They  are  however  useful  for  detecting  attacks  that  emit 
much  traffic  such  as  distributed  denial-of-service  (DDoS)  attack  (22).  This  method  does  not  offer 
clear  features  for  attacks  that  emit  little  traffic  (23). 

The  goal  of  this  report  is  to  provide  a  reliable  list  of  visualization  tools  that  will  aid  in  the  goals 
of  implementing  the  expansion  of  the  anomaly-based  IDS  framework  through  user  interface 
characteristics  that  when  implemented  in  ensemble  with  other  detection  techniques  will  do  the 
following  (3):  provide  prioritized  information  distinguishable  from  noise  in  the  anomaly-based 
IDS  user  interface,  increase  situational  awareness  as  a  result,  and  has  ease  of  use  for  the  end  user. 
Hence,  it  is  with  the  efforts  of  aiding  decision  makers  that  this  paper  assesses  current 
visualization  tools  that  improve  the  decision-making  process  enabling  analysts  and  any  end  user 
to  make  decisions  and  choose  better  actions  (24). 


2.  Desired  Visualization  Needs  for  Analysts  Tasks 


Understanding  the  problem  requires  understanding  the  perspective  of  the  developers  and  the 
users.  It  is  important  to  first  acknowledge  the  audience  who  will  be  using  the  displays, 
environment,  or  product  that  will  employ  the  visualization  tools.  This  particular  audience  by 
inferred  assumption  includes  the  analysts,  the  decision  makers,  and  any  other  end  users.  An 
immediate  focus  is  on  the  interviewed  analysts,  decision  makers,  and  end  users  that  provide  the 
requirements  and  specifications  for  their  needed  environment.  With  this  in  mind,  it  was  fitting  to 


4 


first  obtain  their  perspective  on  what  components  are  important  and  valuable  to  their  interaction 
and  understanding  of  data  with  the  final  user  interface.  We  used  their  initial  responses  from  a 
user  study  conducted  in  a  brainstorming  session  consisting  of  network  analysts,  network 
managers,  security  researchers,  and  visualization  researchers  at  Pacific  Northwest  National 
Laboratory*  (PNNL)  and  with  the  United  States  Air  Force  Research  Laboratoryt  (AFRL)  (24). 
Their  documented  responses  enabled  a  focused  literature  review  to  seek  out  current  visualization 
tools  that  currently  exist  and  would  meet  most  of  the  requirements  for  this  audience.  The 
assessed  visualization  tools  include  applications,  software,  API’s,  programming  languages,  and 
specific  environments.  The  intent  and  hopes  for  a  wide  variety  in  tool  type  is  for  more  options  in 
ensemble  with  other  techniques  that  will  make  the  user  interface  deployable.  Collections  of 
concerns  from  the  end-users  perspective  (refer  to  reference  24)  include: 

•  Visualize  abstract  concepts  more  effectively. 

•  Have  clear  focus  on  either  mission  impact  or  system  impact. 

•  How  to  visualize  amount  of  damage? 

•  How  to  visualize  the  identified  attacks  and  attackers? 

•  How  to  visualize  the  characterization  of  attacks  and  attackers? 

•  How  to  visually  identify  a  legitimate  user? 

•  How  to  visually  identify  any  abnormalities? 

•  How  to  visually  identify  a  malicious  actor? 

•  How  to  visually  identify  a  compromised  system? 

•  How  to  visualize  an  intended  target  of  an  attack  through  trace  back? 


*902  Battelle  Blvd,  Richland,  WA  99354. 
Iwright-Patterson  Air  Force  Base,  OH. 
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These  questions  cover  the  breath  of  end-users’  initial  brainstormed  concerns  session  from 
reference  24: 

•  What  assumptions  is  the  software  making? 

•  Visualization  must  identify  the  impacts  of  the  breaches.  How  will  network  operation  be 
affected? 

•  The  software  must  address  what  is  interesting  to  look  at.  This  depends  on  viewer’s 
perspective. 

•  What  is  most  helpful  to  the  user  will  depend  on  that  particular  user,  their  particular  job,  and 
their  particular  goals. 

•  The  visualization  must  understand  the  various  perspectives  of  different  users. 

•  Templates  will  aid  in  identifying  what  is  normal. 

•  Concepts  for  what  is  appropriate  for  templates,  how  they  can  most  effectively  be  used  and 
interpreted  correctly. 

•  Need  a  communication  capability  to  monitor  the  resolution  of  an  attack  and  verify  that  the 
resolution  plan  is  used. 

•  There  should  be  a  “network  of  trust”  built  into  the  visualization. 

•  How  a  timeline  is  used  for  ordering  of  events  and  actions  is  critical. 

•  The  visualization  should  be  able  to  determine  what  protocol  the  attack  uses — common, 
unusual,  or  uncommon  protocols. 

•  The  visualization  should  organize  data  in  a  meaningful  way.  Usually,  the  3-D  viewpoint 
factors  in  time. 

•  Need  to  incorporate  a  communication  medium  within  the  visualization  tool  like  a 
whiteboard  or  sticky  notes  to  share  data. 

•  It  is  important  for  the  visualization  to  know  what  triggered  the  incident  whether  specific  or 
generic. 

•  The  visualization  will  need  to  know  some  basic  information  to  what  is  happening  outside 
the  system  to  better  understand  and  handle  situational  awareness. 

•  It  is  important  to  have  a  geo-location  integrated  into  the  visualization  environment. 
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Three  things  should  be  incorporated  into  the  visualization  organization: 


o  Representation  of  generalized  attack  path 
o  Representation  including  all  nodes  and  routers 
o  Representation  of  a  timeline  of  events 

The  ID  tasks  and  visualization  needs  process  model  developed  by  Komlodi  et  al.  (25)  is  a  clear 
indicator  and  starting  point  for  making  tools  to  meet  analysts  requirements.  We  took  their  model 
(see  table  1)  and  combined  it  with  the  results  from  the  PNNL  and  AFRL  brainstonning  session 
with  expert  analysts  to  obtain  a  more  inclusive  list  of  visualization  needs  required  for  analyst’s 
tasks.  Table  1  for  the  original  model  and  table  2  the  updated  model  with  combined  needs  from 
the  PNNL  and  AFRL  brainstorm  session. 

Table  1.  ID  tasks  and  visualization  needs  table  (25). 


Phase 

Analyst  Tasks 

Visualization  Needs 

Of) 

G 

•  An  overview  of  the  alert  data 

o 

'3 

o 

s 

•  Monitoring  all  attack  alerts 

•  Identifying  potentially  suspicious  alerts 

•  Simple  displays 

•  Support  for  pattern  and  anomaly  recognition 

•  Flexibility 

•  Speed  of  processing 

Analysis 

•  Analyzing  alert  data 

•  Analyzing  other  related  data 

•  Diagnosing  attack 

•  Multiple  views,  zoom,  drill  down,  focus  +  context 
solutions 

•  Correlation  between  displays,  linked  views 

•  Filtering  and  data  selection 

•  Suggestion  for  response  action 

Responsi 

•  Responding  to  attack 

•  Documenting  and  reporting  attack 

•  Updating  IDS 

•  Incident  reporting 

•  Annotation/feedback  to  facilitate  future  analysis 

•  Saving  views 

•  Historical  display 

•  Reporting  data  transfer 
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Table  2.  Updated  ID  tasks  and  visualization  needs  table. 


Phase 

Analyst  Tasks 

Visualization  Needs 

g 

❖  Need  for  systems  analysis  and  design 

•  Incorporate  more  effective  and  abstract  concepts  to  visualize 

a ) 

s 

❖  Incorporate  human-computer  interactions 

•  Build  “network  of  trust”  into  the  visualization  system 

G 

Q- 

(HCI) 

•  Incorporate  a  communication  medium  to  share  data 

o 

❖  Forefront  approach  of  moving  away  from 

•  Integrate  geo-location  into  environment 

► 

a> 

— 

i 

a> 

u 

to 

organizational  and  system  needs  to  human 

❖  Incorporate  human  processing  capabilities  to  analyze  patterns 

needs 

and  images 

•  Monitoring  all  attack  alerts 

•  An  overview  of  the  alert  data 

•  Identifying  potentially  suspicious  alerts 

•  Simple  displays 

WD 

•  Support  for  pattern  and  anomaly  recognition 

G 

*G 

•  Flexibility 

© 

•  Speed  of  processing 

G 

o 

M 

o  Identify  abnonnalities 

2 

o  Identify  impacts  of  breaches 
o  Understand  user  perspective 
o  Use  timeline  to  order  events  and  actions 

•  Analyzing  alert  data 

•  Multiple  views,  zoom,  drill  down,  focus+  context  solutions 

•  Analyzing  other  related  data 

•  Correlation  between  displays  and  linked  views 

•  Diagnosing  attack 

•  Filtering  and  data  selection 

o  Have  clear  focus  on  either  mission  impact  versus  system  impact 

o  Visualize  characterization  of  attacks  and  attacker 

o  Visualize  identity  of  legitimate  user 

IS 

o  Switch  between  viewer  perspectives  to  address  what  is 

s 

◄ 

interesting  to  look  at 
o  Usage  of  templates 
o  Provide  multi-dimensions  beyond  2-D 
o  Representation  for  generalized  attack  path 
o  Representation  that  includes  all  nodes  and  routers 
o  Representation  of  a  particular  timeline  of  events 

•  Responding  to  attack 

•  Suggestion  for  response  action 

•  Documenting  and  reporting  attack 

•  Incident  reporting 

•  Updating  Intrusion  Detection  System  (IDS) 

•  Annotation/feedback  to  facilitate  future  analysis 

a > 

t/5 

•  Saving  views 

S3 

O 

&• 

•  Historical  display 

t/5 

a> 

•  Reporting  data  transfer 

o  Visualize  identified  attacks  and  attackers 
o  Visualize  malicious  actor 
o  Visualize  compromised  systems 
o  Visualize  an  intended  attack  through  trace  back 

❖  Improving  organizational  processes  for  the 

❖  Allow  others  to  view  current  attack 

s 

a> 

entire  analysis  system 

❖  Integrate  real-time  (dynamic)  animation 

G  S 
^  & 

❖  Connect  global  resources  visually 

=  3 

❖  Increase  collaboration  capabilities 

to  £ 

© 

Q 

❖  Incorporate  data  and  report  sharing  on  various  networks 

Key 

• 

Visualization  Needs  According  to  Komlodi  et  al.  (25) 

o 

Visualization  Needs  According  to  PNNL 

A 

♦ 

Added  Visualization  Needs 
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3.  Methodology 


Preamble 

Step  one  is  to  understand  the  problem  from  the  right  perspectives.  We  are  purposely  choosing  to 
focus  on  the  user’s  (analysts)  perspective  as  the  right  perspective  for  this  survey. 

Step  two  is  conduct  literature  review  on  existing  visualization  tools  and  techniques  that  have 
capabilities  to  meet  the  visualization  needs  of  the  analysts  according  to  their  requirements  list. 

Step  three  is  pinpointing  the  types  of  visualization  tools  that  could  aid  analysts’  tasks  in 
anomaly-based  IDS. 

Step  four  is  to  analyze  the  actual  visualization  tools’  capabilities  and  evaluate  their  level  of 
potential  to  meet  the  requirements  and  specifications  of  the  end  users. 

Step  five  is  to  do  cross  referencing  with  the  capabilities  of  the  final  selected  visualization  tools  to 
that  of  the  visualization  tools  needed  to  perform  analysts  tasks  at  the  five  different  phases. 

Step  six  is  to  consider  other  factors  that  influence  the  decision  of  using  a  visualization  tool. 

Step  seven  is  to  analyze  and  make  sense  of  the  assessment. 

Each  step  is  further  detailed  in  the  following: 

1 .  Understand  the  needs,  concerns,  and  requirements  from  the  perspective  of  the  end  users. 
This  will  provide  a  clearer  direction  for  what  types  of  visualization  tools  to  research. 

2.  Conduct  a  literature  review  on  visualization  tools  with  high  potential  of  meeting  the 
requirements  and  specifications  of  the  end  users. 

3.  Focus  literature  review  to  include  only  the  following  types  of  visualization  tools: 

•  Visual  programming  languages 

•  Visual  software  packages/kits 

•  Visual  libraries 

•  Visual  and  graphical  data  representations 

•  Innovative  visual  tools  that  can  be  applied  to  the  network  security  domain 

4.  Remove  the  visualization  tools  that  had  minimal  applicability  in  the  network  security 
domain. 
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5.  Cross-reference  the  final  list  of  visualization  tools  to  the  identified  visualization  needs  for 
analysts  task  organized  into  the  five  categories  that  represent  the  different  phases  of 
analysts’  tasks. 

6.  Consider  other  basic  factors  that  may  influence  one’s  decision  about  using  a  given 
visualization  tool.  We  look  at  the  following  factors: 

•  Cost  of  visualization  tool 

•  Breath  of  environments  used  on  platforms 

•  Programming  languages  used — if  any 

•  Integration  capability 

7.  Analyze  assessment  and  detennine  its  meaning. 

4.  Most  Important  Features  for  Visualizing  Network  Data 


A  network  consists  of  links  and  nodes.  It  is  important  to  first  know  the  data.  Spatial  information 
and  data  statistics  may  be  associated  with  these  links  and  nodes.  Our  goal  is  to  understand  the 
data  and  not  the  networks  themselves.  Looking  at  the  structure  and  connectivity  of  a  graph 
provides  valuable  relationships  and  significant  importance.  In  such  relationships,  we  care  about 
understanding  the  data  associated  with  links  and  nodes.  The  link-node  relationships  are  further 
examined  on  visual  displays.  Thus,  the  network  shown  on  the  visual  display  is  detennined  by  the 
parameters  of  the  visual  display.  Meaning  the  values  selected  for  each  parameter  of  the  visual 
display  control  the  characteristics  that  generate  the  final  network  seen  on  the  visual  display.  We 
call  the  parameter  for  the  visual  network  display  “features  of  interest.”  According  to  Becker  et  al. 
(21)  some  of  the  most  common  features  of  interest  include: 

•  Statistic 

•  Levels 

•  Geography/Topology 

•  Time 

•  Aggregation 

•  Size 

•  Color 
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Setting  the  values  of  each  parameter  produces  many  combinations  of  parameters.  The  task 
becomes  identifying  which  combinations  of  parameters  lead  to  the  most  valuable  and 
interpretable  displays.  The  easiest  way  to  allow  for  this  is  by  allowing  the  analyst  or  end  user  to 
manipulate  directly  the  values  of  parameters  for  the  visual  network  display.  This  process  is 
called  direct  manipulation.  Direct  manipulation  enables  at  least  the  following  parameters: 

•  Identification 

•  Linkmap  Parameter  Controls 

•  Matrix  Display  Parameter  Controls 

•  Nodemap  Parameter  Controls 

•  Animation 

•  Zooming 

•  Physical  Attributes  (color,  size,  shape,  etc.) 


5.  Visualization  Tools  Breakdown 


The  literature  review  resulted  in  59  visualization  tools  that  their  capabilities  are  applicable  to 
aiding  network  security  analysts’  tasks.  We  purposely  chose  to  focus  on  capabilities  from  each 
tool  that  would  specifically  aid  network  security  tasks  done  by  the  analysts,  our  end  users.  These 
tools  have  been  regrouped  into  similar  types  such  as  Cooperative  Association  for  Internet  Data 
Analysis  (CAIDA)  tools  (26),  visualization  programming  language  tools,  visualization  software 
packages/kits,  visualization  libraries,  graphical  data  representation  tools,  and  tools  that  we  deem 
as  a  novel  or  creative  approach  for  solving  cyber  network  domain  are  lumped  into  the  innovative 
tools.  A  brief  description  of  each  group  and  the  sub-list  of  visualization  tools  are  provided  here. 
Figure  1  is  an  overview  of  the  assessed  visualization  tools  broken  down  into  groups. 
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Breakdown  of  Surveyed 
Visualization  Tools 

■  CAI  DA  Tools 

■  Visualization  Programming 
Language  Tools 

■  Visualization  Software 
Packages/Kits 

■  Visualization  Libraries 

■  Visualization  &  Graphical 
Data  Representation  Tools 

■  Innovative  Visualization 
Tools 


Figure  1.  Breakdown  of  assessed  visulation  tools. 


5.1  CIADA  Tools 

The  CIADA  is  a  collaborative  undertaking  among  organizations  in  the  commercial,  government, 
and  research  sectors  aimed  at  promoting  greater  cooperation  in  the  engineering  and  maintenance 
of  a  robust,  scalable  global  internet  infrastructure  (27).  CAIDA  provides  macroscopic  insights 
into  internet  infrastructure  by  looking  at  behavior,  usage,  and  evolution.  They  foster  a 
collaborative  environment  in  which  data  can  be  acquired,  analyzed,  and  shared  when  appropriate 
(27).  Their  goal  is  to  improve  the  integrity  of  the  internet  science  field  as  well  as  infonn  science, 
technology,  and  communications  about  public  policies.  They  created  tools  to  attend  to  routing, 
addressing,  topology,  workload  characterization,  network  security,  Domain  Name  System 
(DNS),  perfonnance,  and  trends.  Out  of  all  their  available  tools,  thirteen  of  them  are  most 
applicable  to  aiding  network  security  analysts’  tasks.  They  are  AutoFocus,  Beluga,  Cichild, 
Cuttlefish,  FlowScan,  GeoPlot,  GTrace,  MapNet,  Otter,  Plankton,  PlotPaths,  Real  Traffic 
Grabber  (RTG),  and  Walrus.  The  CAIDA  tools  account  for  13/59=22%  of  the  total  visualization 
tools  surveyed  for  network  security  analysts’  tasks.  Table  3  highlights  the  strengths  and 
weaknesses  of  each  visualization  tool  in  this  group. 
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Table  3.  CAIDA  tools  capabilities. 


CAIDA  Tools  Capabilities 

Name 

Web  Site  (all  accessed  1/29/2014) 

Strengths 

Weaknesses 

AutoFocus 

httn://www.caida.org/tools/measurement/auto  focus/ 

Produce  reports  and  plots 
for  various  time  periods 
ranging  from  weeks  to  half 
hour  intervals;  drill-down 
capability. 

Few  monitoring 
capabilities;  no 
analysis 

capabilities;  and 
one  response 
capability. 

Beluga 

http://www.caida.org/tools/measurement/beluga 

/gallerv/ 

Interactive  frontend  to  trace- 
route  data. 

Few  monitoring 
capabilities;  no 
analysis  nor 
response 
capabilities. 

Cichlid 

http://www.isoc.org/met2000/cdproceedings 

/Id/ Id  3.htm 

Collects  large  amounts  of 
data  through  Transmission 
Control  Protocol  (TCP) 
connections;  does  animation 
of  bar  charts  and  vertex  and 
edge  graphs;  can  be  used  as 
a  server;  3-D  and  zoom 
views+. 

Few  analysis 
capabilities;  no 
monitoring  nor 
response 
capabilities. 

Cuttlefish 

http://www.caida.org/tools/visualization/cuttlefish 

/wittv-hosts.xml 

Geographical  maps;  color 
coded  data;  moving 
boundary  line;  optional 
color  legend;  single  image; 
collection  of  related  images; 
animated  Graphics 
Interchange  Format  (GIF). 

One  monitoring 
capability;  no 
analysis  nor 
response 
capabilities. 

FlowScan 

https  ://www.usenix.org/le  gacv/  events/lisaOO 

/full  papers/plonka/plonka  html/ 

Analyzes  and  reports  on 
NetFlow  data;  examines 
data  and  maintains  counters. 

Few  analysis  and 
response 
capabilities;  no 
monitoring 
capabilities. 

GeoPlot 

http://www.caida.org/tools/visualization/geoplot/ 

Plots  a  set  of  nodes  and  a  set 
of  lines  that  connect  these 
nodes  on  an  image  specified 
by  the  user. 

Few  analysis 
capabilities;  no 
monitoring  nor 
response 
capabilities 

GTrace 

http://www.caida.org/tools/visualization/gtrace/snap 

shots/ 

Flexible  to  support 
additional  databases; 
heuristics  to  map  Internet 
Protocol  (IP)  addresses  to 
physical  location  and  maps. 

One  monitoring 
and  one  analysis 
capability;  no 
response 
capabilities. 

MapNet 

http://www.caida.org/publications/visualizations/ 

Ability  to  control 
complexity;  flexibility  in 
presentation;  subset  data  in 
real-time;  and  view  network 
with  or  without  background 
map. 

One  monitoring 
and  one  analysis 
capability;  no 
response 
capabilities. 
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Table  3.  CAIDA  tools  capabilities  (continued). 


CAIDA  Tools  Capabilities 

Name 

Web  Site  (all  accessed  01/29/2014) 

Strengths 

Weaknesses 

Plankton 

http://www.caida.ore/tools/visualization/Dlankton/ 

Provides  topological  or 
geographical  display; 
toggle,  zoom  and  pan;  move 
single  node  or  sub-tree; 
coloring;  and  time  sequence 
animation. 

One  monitoring 
and  one  analysis 
capability;  no 
response 
capabilities. 

Otter 

httD://www.caida.ore/tools/visualization/otter/ 

otter  plots/ 

Visualize  node,  link,  or 
path;  high  memory  usage 
for  large  data  sets; 
geographical  or  topological 
placement;  modification  of 
the  display  via  zoom,  focus, 
and  other  graph  layout 
options. 

One  monitoring 
capability;  no 
analysis  nor 
response 
capabilities. 

PlotPaths 

http://www.caida.or2/tools/visualization/DlotDaths/ 

plotpaths  shots.xml 

Calculate  node  dept,  create 
rows  and  columns;  prevent 
vertical  link  overlap;  assign 
x  and  y  coordinates  to 
nodes;  and  arrange  nodes 
horizontally. 

One  analysis 
capability;  no 
monitoring  nor 
response 
capabilities. 

RTG 

http://www.caida.or2/tools/measurement/rt2/ 

Runs  as  a  daemon;  written 
in  C;  multithreaded;  use  of 
relational  database;  and 
polls  at  sub-one  minute 
intervals. 

Windows  platform 
is  not  supported; 
one  monitoring 
capability;  no 
analysis  nor 
response 
capabilities. 

Walrus 

http://www.bclivin2.ca/2arden/what-does-the- 

internet-look-like 

Indicates  user’s  page 
activities;  accumulates  user 
accesses  over  time  to 
identify  Web  pages  that  are 
visited  more  often;  allows 
direct  navigation. 

Few  monitoring 
capabilities;  one 
analysis  capability; 
no  response 
capabilities. 
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5.2  Visualization  Programming  Language  Tools 

Visual  programming  language  (VPL)  tools  are  those  that  in  computing  are  considered  to  allow 
the  user  to  create  programs  by  manipulating  program  elements  graphically  instead  of  textually 
(28).  VPL  provides  this  programming  through  visual  expressions  and  spatial  arrangements  of 
text  or  graphic  symbols.  The  VPL  tools  accounted  for  in  this  survey  includes  ClojureAtlas, 
GINY,  and  Processing  JS.  These  VPL  tools  make  up  2/59=3.0%  of  the  total  visualization  tools 
surveyed  for  the  network  security  analysts’  tasks.  Table  4  highlights  the  strengths  and 
weaknesses  of  each  visualization  tool  in  this  group. 

Table  4.  Visualization  programming  language  tools’  capabilities. 


Visualization  Programming  Language  Tools’  Capabilities 

Name 

Web  Site  (all  accessed  01/29/2014) 

Strengths 

Weaknesses 

ClojureAtlas 

httD://fsteea.com/20 12/02/26 
/visualize-cloiure-code-in-eclinse-with-dot- 

and-zest/ 

Efficient  and  robust 
infrastructure  for 
multithreaded 
programming;  compiles 
directly  to  JVM  and  remains 
completely  dynamic. 

No  monitoring  nor 
analysis  capabilities; 
one  response 
capability. 

Processing  JS 

httn  ://nrocessinai  s  .ora/ 

Does  typography,  math, 
shapes,  structures,  images, 
and  rendering;  has  various 
transformations,  data  types, 
input  types,  controls,  input 
and  output  formats;  has  light 
and  camera  settings;  creates 
environment. 

No  response 
capabilities. 

5.3  Visual  Software  Packages  and  Kits 

Visualization  software  usually  incorporates  a  range  of  computer  graphic  products  used  to  create 
graphical  display  or  interfaces  for  software  applications.  The  visualization  software  tools 
accounted  for  in  this  survey  includes  Complex  System  SCILAB  Toolbox,  GraphViz,  Igraph, 
NetDraw,  Network  Workbench,  OpenDX,  Prefuse,  Sci2  Tool,  and  Visualization  Toolkit  (VTK). 
They  make  up  8/59=13.55%  of  the  total  visualization  tools  surveyed  for  the  network  analysts’ 
tasks.  Table  5  highlights  the  strengths  and  weaknesses  of  each  visualization  tool  in  this  group. 
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Table  5.  Visualization  software  packages  and  kits’  capabilities. 


Visualization  Software  Packages  and  Kits’  Capabilities 

Name 

Web  Sites  (all  accessed  01/29/2014 

Strengths 

Weaknesses 

Complex 

Systems 

SCILAB 

Tool 

httD://www.randomfactorv.com/oDenastro 

/osx/scilab-info.html 

Measures  graph  parameters 

Academic  Free  License 
(AFL);  works  on  UNIX 
and  Windows; 
programming  language 
is  MATLAB;  no 
analysis  or  response 
capabilities. 

Graph  Viz 

httn://kurata2 1  .bio.kvutech.ac.in/arid/ 

arid  lavout.htm 

Has  features  for  concrete 
diagrams,  such  as  options  for 
colors,  fonts,  tabular  node 
layouts,  line  styles,  hyperlinks, 
roll  and  custom  shapes;  works 
on  all  major  platforms. 

Eclipse  Public  License 
(EPL)  vl.O;  one 
monitoring  capability; 
no  analysis  nor  response 
capabilities. 

NetDraw 

httn://elec  tricosas.bloasnot.com/201 1/10 

/netdraw- v-laku-dr-ina-hans-detlef.html 

Generate  and  manipulate 
graphs,  easy  to  install  and  use, 
fully  integrated  with  Ucinet, 
integrates  with  Pajek,  has 
command-line  language  to 
help  automate  procedures. 

Windows  platform  only, 
performs  basic  analysis, 
has  been  used  for  social 
networks  only,  system 
documentation  not  fully 
developed;  no  response 
capabilities. 

Network 

Workbench 

httD://scimans.ora/atlas/Dart3.html 

Provides  means  to  carry  out 
network  analysis,  modeling, 
and  visualization  projects  in 
own  fields;  and  provides 
shared  resource  environment. 

No  monitoring 
capabilities;  few 
analysis  capabilities. 

OpenDX 

httn://www.onendx.ora 

or 

http  ://vlsicad.  eecs  .umich.edu/BK/Slots 

/  cache/www.  onendx. ora/  index2  .nhn 

Visualization  for  scientific, 
engineering,  and  analytical 
data;  open  source;  can  handle 
overlapping  grids  with  ease. 

Graphical  User 

Interface  (GUI)  is  not 
really  compatible  for 
network  data  in  the 
cyber  security  sense;  no 
monitoring,  analysis,  or 
response  capabilities. 

Prefuse 

httn://weka.wikisDaces.com/Exnlorer+tree 

+visualization+nluains 

Dynamic  queries;  animation 
support;  table,  graph,  and  tree 
data  structure  support;  panning 
and  zooming;  flexibility  for 
multiple  views. 

Ease-of-use  is  medium 
to  difficult;  no  analysis 
or  response  capabilities. 

Sci2  Tool 

httn://www.vivoweb.ora 

Supports  temporal,  geospatial, 
topical,  and  network  analysis; 
does  visualization  of  datasets 
at  the  micro  (individual),  meso 
(local),  and  macro  (global) 
levels. 

Made  for  sciences  in 
general;  no  monitoring 
capabilities. 

Visualization 

Toolkit 

(VTK) 

httn://www.vtk.ora/ 

Does  scalar,  vector,  tensor, 
texture,  and  volumetric 
methods;  advanced  modeling; 
implicit  modeling,  polygon 
reduction,  mesh  smoothing, 
cutting,  contouring,  and 
triangulation. 

Ease-of-use  is  medium 
to  difficult;  no  response 
capabilities. 
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5.4  Visualization  Library  Tools 

Visualization  libraries  are  an  extension  of  visualization  software  and  usually  come  in  packages 
or  toolkits.  The  visualization  library  tools  accounted  for  in  this  survey  includes  hnpure  (now 
Quadrigram),  InfoVis  Cyberinfrastructure,  Jgraph,  JUNG,  and  the  Visualization  library.  They 
make  up  7/59=1 1.86%  of  the  total  visualization  tools  surveyed  for  the  network  analysts’  tasks. 
Table  6  highlights  the  strengths  and  weaknesses  of  each  visualization  tool  in  this  group. 

Table  6.  Visualization  library  tools’  capabilities. 


Visualization  Library  Tools’  Capabilities 

Name 

Web  Sites  (accessed  01/29/2014) 

Strengths 

Weaknesses 

Impure  now 
Quuadrigram 

httD://www.auadriaram. com/in  action 

High  interoperability, 
publish  publically  or 
share  privately,  geo-data, 
quadrification,  and  stack 
flow. 

Ease  of  use  is  more 
difficult  for  a 
nonprogrammer,  a 
nonengineer,  or 
anyone  unfamiliar  to 
data  analysis. 

InfoVis  Cyber- 
Infrastructure 

httn  ://iv.  slis  .indiana.edu/  sw/ 

Integration  of  algorithms 
as  plug-ins,  completely 
open  source,  and  allows 
for  development. 

Algorithms  are 
implemented  in 
different 
programming 
languages;  no 
response  capabilities. 

Jgraph 

httn://www.i  granh.com 

/mx  granh.html 

Generate  and  manipulate 
graphs,  assign  attributes 
to  links  and  nodes,  has  R 
and  Python  interfaces 
support  for  visualization, 
is  open  source. 

Must  be  familiar  with 
programming 
languages  C,  R,  and 
Python;  no  response 
capabilities. 

JUNG 

httns://blogs. reucon.com/asterisk- 

iava/ tag/visualization/ 

Create  custom  layouts  and 
can  annotate  graphs, 
links,  nodes  with  any  Java 
data  type. 

Must  be  familiar  with 
coding  in  Java  to  call 
the  routines;  no 
monitoring  or 
response  capabilities. 

Visualization 

Library 

httn://vi  sualizationlibrarv.org/documentation 

/nag  gallerv.html 

Lightweight  C++ 

OpenGL  middleware, 
volume  rendering, 
animation,  and  memory 
management. 

Few  analysis 
capabilities;  no 
monitoring  or 
response  capabilities. 

Jgraph 

httn://i  granh.sourceforge.net/screenshots.html 

Generate  and  manipulate 
graphs;  R  package  and 
Python  module  for  3-D 
interactivity;  well 
documented  for  users  and 
developers. 

May  only  implement 
your  own  algorithms 
in  C,  R,  Python  or 
Ruby;  one  analysis 
capability;  no 
monitoring  nor 
response  capabilities. 

GINY 

httn://csbi.  sourceforge.net/screenshots.html 

An  interface  layer  that  is 
useful  for  building 
graphing  projects. 

Provides  no  official 
algorithms;  few 
analysis  capabilities; 
no  response 
capabilities. 
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5.5  Graphical  Data  Representation  Tools 


Graphical  data  representation  tools  are  designed  to  reveal  patterns  in  the  data  that  are  difficult  to 
detect  otherwise.  The  visual  depictions  of  data  are  almost  universally  understood  without 
requiring  knowledge  of  language.  The  visualization  and  graphical  data  representation  tools 
accounted  for  in  this  survey  includes  AVS  Express,  Axiis,  Cytoscape,  Gephi,  GGobi,  GUESS, 
Inflow  3.1,  LANet-Vi,  NAViGaTOR,  NodeXL,  Pajek,  Protovis,  Tableau  Desktop,  and 
TouchGraph.  They  make  up  14/59=23.7%  of  the  total  visualization  tools  surveyed  for  network 
analysts’  tasks.  Table  7  highlights  the  strengths  and  weaknesses  of  each  visualization  tool  in  this 
group. 

Table  7.  Graphical  data  representation  tools’  capabilities. 


Graphical  Data  Representation  Tools’  Capabilities 

Name 

Web  Sites  (accessed  01/29/2014) 

Strengths 

Weaknesses 

AVS  Express 

http://www.cvbernet.co.iD/avs/english 

/avsexpress.html 

Uses  hardware  power, 
manages  memory  better, 
faster  graphics, 
specialized  modules,  and 
cross-platforms. 

Ease-of-use  is 
medium  to  difficult; 
few  analysis 
capabilities;  no 
response  capabilities. 

Axiis 

http://datavisualization.ch/showcases/visualizing- 

historic-browser-statistics-with-axiis/ 

Prebuilt  visualization 
components,  abstract 
layout  patterns,  rendering 
classes  allow  you  to 
create  your  own 
visualizations. 

No  monitoring  or 
response  capabilities. 

Cytoscape 

http://nemo-cvclone.sourceforge.net/graDhs.DhD 

Domain-independent; 
calculate  statistics  of 
network,  find  shortest 
path,  find  clusters; 
integrates  with  (Igraph, 
Pajek,  GraphViz,  and 
more). 

No  analysis  or 
response  capabilities. 

Gephi 

https://geDhi.org/ 

Exploratory  data  analysis, 
link  analysis,  social 
network  analysis, 
biological  network 
analysis,  and  poster 
creation. 

No  monitoring  or 
response  capabilities. 

GGobi 

http  ://www.statmethods  .net/ adv  graphs 

/interac  tive.html 

High  dynamic  and 
interactive  graphics, 

R  analysis,  tour  in  high 
dimension,  and  display 
plug-in  available. 

No  monitoring  or 
response  capabilities. 

GUESS 

http://graphexDloration.cond.org/ 

Supports  dynamic  and 
time  sensitive  data; 
animation;  import  and 
export  standard  formats, 
works  with  other  tools 
(JUNG,  Prefuse,  and 
TouchGraph). 

No  analysis 
capabilities. 
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Table  7.  Graphical  data  representation  tools’  capabilities  (continued). 


Graphical  Data  Representation  Tools’  Capabilities 

Name 

Web  Sites  (accessed  01/29/2014) 

Strengths 

Weaknesses 

Inflow  3.1 

httn://www.orgnet.com/inflo  w3.html 

Cluster  analysis;  network 
density;  external  and 
internal  ratio;  weighted 
average  path  length; 
shortest  path;  and  path 
distribution. 

No  monitoring  or 
response  capabilities. 

LANet-Vi 

httD://sourceforae.net/nroiects/lanet-vi/ 

Connectivity  and 
clustering  properties 
within  a  k-shell,  and 
correlations  between 
degree  and  shell  index. 

Programming 
language  is  C++;  no 
monitoring  or 
response  capabilities. 

NAViGaTOR 

httn://web. cs.toronto.edu/research/nrofiles/nav.htm 

Queries  0PHID/12D 
online  databases;  displays 
networks  in  2-D/3-D, 
provides  analytical 
capabilities;  supports 
standard  input/output 
formats. 

No  monitoring  or 
response  capabilities. 

NodeXL 

httn://www.connectedaction.net/nodexl/ 

Flexible  import/export; 
direct  connections  to 
social  networks,  zoom 
scale;  flexible  layout; 
easily  adjust  appearance, 
dynamic  filtering; 
powerful  vertex 
grouping;  graph  metric 
calculations;  and  task 
automation. 

No  response 
capabilities. 

Pajek 

httn://www.roaet.ora/aranhics/DaiekWXW.aif 

Supports  abstraction; 
implementation  of  sub¬ 
quadratic  algorithms; 
clusters;  extract  and 
shrink  vertices; 
multirelational  networks; 
and  2mode  networks. 

No  monitoring  or 
response  capabilities. 

Tableau 

Desktop 

httn://www.  tab  leausoftware.com/ 

Connect  to  data  in  file  or 
on  a  server;  handles 
spreadsheets,  databases, 
and  big  data;  more  than 

90  features;  Web  and 
mobile  authoring;  visual 
analytics;  business 
integration;  and  high 
performance. 

Not  open  source  or 
free;  only  available 
on  W  indows  and  Mac 
platforms. 

TouchGraph 

httn://scoutness.com/toucharanli-discover-the- 

relationshins-contained-in-nonular-infomiation- 

sources/ 

Many  relationship  types 
supported;  associate  text 
and  numerical  attributes 
with  nodes  and  edges; 
images  can  be  associated 
with  nodes;  advanced 
clustering. 

No  response 
capabilities. 
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5.6  Innovative  Visualization  Tools 


The  innovative  visualization  tools  are  tools  developed  from  projects,  successful  tools  from  other 
domain  fields,  and  interesting  research  that  can  all  be  applied  to  the  network  security  domain  to 
aid  analysts’  tasks.  The  innovative  tools  accounted  for  in  this  survey  includes  Bloom  Diagram, 
Circos,  DocuBurst,  NVIVO,  PathFinder,  PeopleGarden,  SemaSpace,  Schemaball,  SocSciBot, 
The  Web  Stalker,  ThinkMap,  ThreadArcs,  Visone,  Visualyzer  2.1,  and  WebFan.  They  make  up 
15/59=25.4%  of  the  total  visualization  tools  surveyed  for  network  analysts’  tasks.  Table  8 
highlights  the  strengths  and  weaknesses  of  each  visualization  tool  in  this  group. 

Table  8.  Innovative  visualization  tools’  capabilities. 


Innovative  Visualization  Tools’  Capabilities 

Name 

Web  Sites  (all  accessed  01/29/2014) 

Strengths 

Weaknesses 

Bloom 

Diagram 

httD://www.  visualcomDlexitv.com/vc 

/uroiect.cfm?id=358 

Keyboard  controls  to 
zoom  in,  out,  and  pan 
around  the  screen;  play 
animation  over  time. 

No  monitoring  or 

response 

capabilities. 

Circos 

httD://mkweb.bcasc.ca/temDlate/circos/$url  root 

/tableviewer/ 

Plaintext  files  are  easily 
automated;  simple  format 
for  input/output;  rules  are 
snippets  of  code. 

No  analysis  or 

response 

capabilities. 

DocuBurst 

httu://taDor.ca/?id=123 

A  radial,  space-filling 
layout  of  hyponymy  (1S- 
A  relation);  zoom;  filter; 
document  visualization. 

Visualizes  words 
only;  no  response 
capabilities. 

NVIVO 

httD://bloas. citv.ac.uk/educationalvianettes/201 1/06/01 

Import  YouTube  videos; 
import  social  network 
posts;  work  with  Web 
pages  and  online  PDFs; 
work  with  non-English 
interfaces;  and  provide 
automatic  coding  for 
social  networks. 

More  of  a 
collaboration 
tool;  no  analysis, 
monitoring,  or 
response 
capabilities. 

/nvivo-software-trainina-for-suDDort-aualitative- 

research-in -he/#.Ui8c7H-sYvY 

PathFinder 

httD://tecfa.uniae.ch/nerso/wan/PathFinder/ 

Displays  the  Web  site 
structure  and  the 
customers  navigation 
paths  in  a  3-D 
visualization. 

Programming 
language  is  Java; 
not  open  source. 

PeopleGarden 

See  reference  29  in  the  "References”  list. 
httD://dl.acm.ora/citation.cfm?id=322581 

Useful  for  threaded 
discussion  space  such  as 
Usenet  newsgroups  and 
for  interaction  spaces 
like  chat  rooms. 

No  analysis  or 

response 

capabilities. 

SemaSpace 

httn://residence.aec.at/didi/FLweb/ 

Creates  interactive  graph 
layers  in  2-D  and  3-D; 
calculates  complex 
networks;  incorporate 
additional  data  such  as 
images,  sounds,  and  full 
texts. 

No  monitoring  or 

response 

capabilities. 
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Table  8.  Innovative  visualization  tools’  capabilities  (continued). 


Innovative  Visualization  Tools’  Capabilities 

Name 

Web  Sites  (all  accessed  01/29/2014) 

Strengths 

Weaknesses 

Schemaball 

httD://mkweb.bc2SC.ca/schemaball/?tour 

Creates  flexible 
visualizations  of 
database  schemas; 
Schemas  may  be  read 
from  an  SQL  schema 
dump,  flat  file  or  live 
database. 

No  monitoring 
or  response 
capabilities. 

SocSciBot 

httD://webometrics.  wlv.ac.uk/networkhelD/ 

Produces  network 
diagrams  for  export  to 
Pajek  and  UCINET 
and  analyzes  links. 

One  analysis 
capability;  no 
response 
capability. 

The  Web 
Stalker 

http ://  artsconnected.org/  resource/89 1 92/i-o-d-4-the-web- 

stalker 

New  refreshing  visual 
metaphors  of  data  for 
the  Web. 

Available  by 
author  only;  no 
monitoring  or 
response 
capabilities. 

ThinkMap 

httD://www.thinkmaD.com/thinkmaDsdk.isD 

Interfaces  are  useful 
for  communicating  a 
dataset’s  structure; 
fully  dynamic; 
deployed  as  a  client 
only  application. 

Not  open  source 
or  free;  no 
analysis, 
monitoring,  or 
response 
capabilities. 

ThreadArcs 

httD://flowingdata.com/2008/03/19/21-wavs-to-visualize- 

and-exo  lore-vour-emai  1-  inb  ox/ 

Provides  chronology, 
relationships,  stability, 
compactness,  attribute 
highlighting,  scaling, 
interpretation  and 
meaning. 

No  analysis  or 
response 
capabilities; 
unknown  how  to 
obtain  software. 

Visone 

httD://harambeenet.org/board07/aDDs/visone 

/visone-fi  rststeDS.html 

Interactive  GUI 
tailored  for  social 
networks;  import  and 
export  of  standard 
formats  for  social 
network  data;  and 
publication  quality  for 
exports. 

No  monitoring 
or  analysis 
capabilities. 

VisuaLyzer 

httD://socioworks.com/Droductsall/visualvzer/ 

Create  graphs;  import 
and  export  network 
data  in  many  formats; 
Customize  visual 
properties  of  node  and 
link; 

Images  of  your  choice 
can  be  used  to 
represent  nodes; 

Conduct  analysis  for 
calculating  network 
and  nodal  level 
indices. 

Only  supports 
Windows;  not 
open  source  or 
free;  basic 
analysis;  no 
monitoring  or 
response 
capabilities. 
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Table  8.  Innovative  visualization  tools’  capabilities  (continued). 


Innovative  Visualization  Tools’  Capabilities 

Name 

Web  Sites  (all  accessed  01/29/2014) 

Strengths 

Weaknesses 

WebFan 

httn://www.  visualcomDlexitv.com/vc 
/project  details. cfm?id=128&index=25&domain=social%20 

Use  of  color, 
indicating  user’s  page 
activities; 
accumulating  user 
accesses  over  time  to 
identify  Web  pages 
that  are  visited  more 
often;  allow  direct 
navigation. 

No  response 
capabilities. 

networks 

6.  Survey  Analysis 


The  visualization  tools’  capabilities  were  cross-referenced  against  the  analysts’  initial 
visualization  needs  highlighted  at  the  beginning  of  this  report.  The  initial  visualization  needs  of 
the  intended  end  user  are  categorized  into  a  general  cyber-analysis  task  phase  model,  which  we 
have  expanded  from  references  25.  Our  enhanced  cyber  analysis  task  phase  model  is  now:  Pre- 
Development  (PD),  Monitoring  (M),  Analysis  (A),  Response  (R),  and  Future  Development  (FD). 
Within  each  particular  task  phase,  the  associated  visualization  needs  have  been  numerically 
ordered  following  the  task  phase  abbreviation  (refer  to  table  9). 


Table  9.  Visualization  needs  for  the  pre -development  phase. 


Visualization  Needs  for  the  Pre-Development  Phase 

PD1 

Incorporate  more  effective  and  abstract  concepts  to  visualize 

PD2 

Build  “network  of  trust’’  into  the  visualization  system 

PD3 

Incorporate  a  communication  medium  to  share  data 

PD4 

Integrate  geo-location  into  environment 

PD5 

Incorporate  human  processing  capabilities  to  analyze  patterns  and  images 

The  “Visualization  Needs  for  the  Pre-Development  Phase”  chart  (see  table  9)  has  been  coded  for 
ease  in  readability  in  the  bar  graph  (see  figure  2)  reflecting  the  actual  number  of  tools  that  are 
capable  of  meeting  that  particular  need  in  the  Pre-Development  Phase. 
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Figure  2.  Visualization  tools  for  the  pre-development  phase  chart. 

The  overall  applicability  of  the  surveyed  visualization  tools  that  proved  to  meet  the  visualization 
needs  for  analysts’  task  in  the  Pre-Development  Phase  were  six  tools.  Visualization  need  “PD3” 
may  be  accomplished  by  using  visualization  tools  NVIVO  or  Impure.  NVIVO  allows  import  to 
YouTube  videos,  social  network  posts,  and  working  collaboration  with  Web  pages  or  online 
PDFs,  hnpure  has  preconfigured  solutions  accessible  through  multiple  data  sources.  Both  of 
these  tools  aid  in  incorporating  a  communication  medium  to  share  data  to  foster  analysts’  tasks. 

Visualization  need  “PD4”  may  be  accomplished  by  using  visualization  tools  PlotPath,  MapNet, 
and  GeoPlot.  PlotPath  assigns  x  and  y  coordinates  to  nodes  then  arranges  them  horizontally. 
MapNet  can  view  a  network  with  or  without  the  background  map.  GeoPlot  plots  a  set  of  nodes 
and  a  set  of  lines  that  connects  them  to  the  user’s  location.  These  tools  aid  in  the  integration  of 
geo-location  into  the  display  environment. 

The  “Visualization  Needs  for  the  Monitoring  Phase”  chart  has  been  coded  for  ease  in  readability 
in  the  bar  graph  below  reflecting  the  actual  number  of  tools  that  are  capable  of  meeting  that 
particular  need  in  the  Monitoring  Phase  (refer  to  table  10  and  figure  3). 


Table  10.  Visualization  needs  for  the  monitoring  phase. 


Visualization  Needs  for  the  Monitoring  Phase 

Ml 

An  overview  of  the  alert  data 

M2 

Simple  displays 

M3 

Support  for  pattern  and  anomaly  recognition 

M4 

Flexibility 

M5 

Speed  of  processing 
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Table  10.  Visualization  needs  for  the  monitoring  phase  (continued). 


Visualization  Needs  for  the  Monitoring  Phase 

M6 

Identify  abnormalities 

M7 

Identify  impacts  of  breaches 

M8 

Understand  user  perspective 

M9 

Use  timeline  to  order  events  and  actions 

Figure  3.  Visualization  tools  for  the  monitoring  phase  chart. 

The  overall  applicability  of  the  surveyed  visualization  tools  that  proved  to  meet  the  visualization 
needs  for  analysts’  task  in  the  Monitor  Phase  were  thirty-three  tools.  Visualization  need  “Ml” 
may  be  accomplished  by  using  visualization  tools  AutoFocus,  Cytoscape,  Plankton,  and 
SocSciBot.  AutoFocus  produces  plots  that  can  represent  the  entire  network.  Cytoscape  calculates 
the  statistics  of  a  network,  finds  the  shortest  path,  and  clusters  the  data.  Plankton  does  both 
topological  and  geographical  displays  of  an  entire  network.  SocSciBot  produces  standard 
statistics  of  interlinking  network  diagrams.  These  tools  aid  in  giving  the  overview  of  alerts  that 
may  be  present  in  a  network. 

Capability  assessment  for  the  following  visualization  need(s)  for  analysts’  tasks: 

•  Visualization  need  “M2”  may  be  accomplished  by  using  visualization  tools  Circos, 
Cytoscape,  DocuBurst,  Impure,  InfoVis  Cyberinfrastructure,  Jgraph,  NetDraw,  Prefuse, 
Processing  JS,  Protovis,  TouchGraph,  and  VTK.  Circos  Provides  circular  visualization  only 
and  no  analysis  capabilities.  Cytoscape  provides  multiple  simple  layouts.  DocuBurst 
provides  a  specific  radial,  space-filled  layout  of  hyponymy  (IS-A  relation)  layout  for  data. 
Impure  has  a  rich  library  of  interactive  visualizations  for  data.  InfoVis  Cyberinfrastructure 
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uses  common  layout  algorithms  for  data  representation.  Jgraph  has  a  selection  of  layouts 
including  hierarchical  layouts,  organic  layouts,  and  tree  layouts.  NetDraw  has  multiple 
options  to  represent  data  including  direct  manipulation  and  interactive  styles.  Prefuse 
provides  various  displays  and  layout  components.  Processing  JS  does  animation,  behaviors, 
layouts,  and  relationships.  Protovis  uses  topological  methods,  math,  shapes,  structures,  and 
rendering  to  produce  various  data  representations.  TouchGraph  uses  text  and  numerical 
attributes  to  associate  with  nodes  and  edges.  VTK  provides  scalar,  vector,  tensor,  texture, 
and  volumetric  methods.  These  tools  aid  in  creating  simple  displays  for  analysts’  tasks. 

•  Visualization  need  “M3”  may  be  accomplished  by  using  visualization  tools  Complex 
System  SCILAB  Toolbox,  Cuttlefish,  GINY,  GraphViz,  and  Prefuse.  Complex  System 
SCILAB  Toolbox  measures  degree  distribution,  averages  neighboring  degree,  finds 
average  clustering  and  shell  index.  Cuttlefish  provides  simple  images,  geographical  maps, 
color-coded  data,  and  animated  GIF.  GINY  is  an  interface  layer  useful  for  building 
graphical  objects.  GraphViz  makes  available  useful  features  for  concrete  diagrams  and 
tabular  node  layout.  Prefuse  provides  flexibility  and  animation  support.  These  visualization 
tools  have  capabilities  that  when  tweaked  and  placed  in  ensemble  with  other  tools  will 
support  both  pattern  and  anomaly  recognition  for  analysts’  tasks. 

•  Visualization  need  “M4”  may  be  accomplished  by  using  visualization  tools  GTrace, 
MapNet,  and  NodeXL.  GTrace  is  flexible  to  support  the  addition  of  new  databases. 

MapNet  has  flexibility  in  data  representations.  NodeXL  is  flexible  with  its  layouts,  import 
and  output  formats.  These  visualization  tools  are  flexible  in  some  aspect  of  capabilities 
presented  to  aid  analysts’  tasks. 

•  Visualization  need  “M5”  may  be  accomplished  by  using  visualization  tools  AVS  Express, 
Otter,  and  Tableau  Desktop.  AVS  Express  manages  memory  better  and  provides  faster 
graphics.  Otter  has  high  memory  usage  for  large  data  sets.  Tableau  Desktop  connects  to 
data  in  a  file  or  on  a  server  with  high  perfonnance  rates.  These  visualization  tools  provide 
better  speeds  of  processing  compared  to  most  visualization  tools  and  this  is  a  plus  for 
aiding  analysts’  tasks. 

•  Visualization  needs  “M6”  and  “M7”  may  be  accomplished  by  using  visualization  tool 
Walrus.  Walrus  does  labeling  and  interactive  pruning  of  graphs. 

•  Visualization  need  “M8”  may  be  accomplished  by  using  visualization  tool  PathFinder. 
PathFinder  displays  Web  site  structure  and  uses  trace  backs  to  understand  user  perspective. 
This  capability  may  also  be  used  to  identify  impacts  of  breaches  and  therefore  aids  the 
analysts’  tasks. 


25 


•  Visualization  need  “M9”  may  be  accomplished  by  using  visualization  tools  AutoFocus, 
Beluga,  BloomDiagram,  GUESS,  RTG,  Thread  Arcs,  and  WebFan.  AutoFocus  has  various 
time  period  layouts  ranging  from  weeks  to  half-hour  intervals.  Beluga  shows  both  total 
round  trip  time  and  per-hop  round  trip  time.  BloomDiagram  plays  animation  of  the  activity 
over  time.  GUESS  supports  dynamic  and  time  sensitive  data.  RTG  polls  at  sub-one-minute 
intervals.  Thread  Arcs  provides  chronology  and  relationships  found  in  e-mail.  WebFan 
accumulates  user  accesses  over  time.  These  visualization  tools  use  forms  of  timelines  to 
order  events  and  actions  that  aid  analysts’  tasks. 

The  “Visualization  Needs  for  the  Analysis  Phase”  chart  has  been  coded  for  ease  in  readability  in 
the  bar  graph  below  reflecting  the  actual  number  of  tools  that  are  capable  of  meeting  that 
particular  need  in  the  Analysis  Phase  (refer  to  table  1 1  and  figure  4). 

Table  11.  Visualization  needs  for  the  analysis  phase. 


Visualization  Needs  for  the  Analysis  Phase 

A1 

Multiple  views,  zoom,  drill  down,  focus+  context  solutions 

A2 

Correlation  between  displays  and  linked  views 

A3 

Filtering  and  data  selection 

A4 

Have  a  clear  focus  on  either  mission  impact  or  system  impact 

A5 

Visualize  characterization  of  attacks  and  attacker 

A6 

Visualize  identity  of  legitimate  user 

A7 

Switch  between  viewer  perspectives  to  address  what  is  interesting  to  look  at 

A8 

Provide  multidimensions  beyond  2-D 

A9 

Usage  of  templates 

A10 

Representation  that  includes  all  nodes  and  routers 

All 

Representation  of  a  particular  timeline  of  events 

A12 

Representation  for  generalized  attack  path 
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Figure  4.  Visualization  tools  for  the  analysis  phase  chart. 

The  overall  applicability  of  the  surveyed  visualization  tools  proved  to  meet  the  visualization 
needs  for  analysts’  task  in  the  Analysis  Phase  were  thirty-seven  tools.  Visualization  need  “Al” 
may  be  accomplished  by  using  visualization  tools  AutoFocus,  BloomDiagram,  Cichild, 
DocuBurst,  Inflow  3.1,  MapNet,  NodeXL,  Plankton,  and  Walrus.  AutoFocus  can  drill  down  into 
separate  pages  for  each  category.  BloomDiagram  zooms  in  and  out  of  network  and  pans  around 
the  screen.  Cichild  provides  a  zooming  point  of  view.  DocuBurst  provides  zooming  and  filter 
techniques.  Inflow  3.1  allows  internal  and  external  ratio,  weighted  average  path  length,  shortest 
path,  and  path  distribution.  MapNet  views  networks  with  or  without  background  map.  NodeXL 
has  zoom  scale  and  easily  adjusts  data  appearance.  Plankton  provides  display  toggle,  zoom,  pan, 
and  does  time  sequence  animation.  Walrus  allows  panning  and  zooming  of  network  graphs. 
These  visualization  tools  aid  in  providing  multiple  views,  zoom,  drill  down,  focus+  context 
solutions  for  analysts’  tasks. 

Capability  assessment  for  the  following  visualization  need(s)  for  analysts’  tasks: 

•  Visualization  need  “A2”  may  be  accomplished  by  using  visualization  tools  Beluga  and 
Bloom  Diagram.  Beluga  provides  statistical  breakdown  of  Round  Trip  Times  (RTTs)  for 
trend  analysis.  Both  visualization  tools  aid  in  providing  correlation  between  displays  and 
linked  views  for  analysts’  tasks. 

•  Visualization  need  “A3”  may  be  accomplished  by  using  visualization  tools  FlowScan, 
Impure,  JUNG,  NodeXL,  Pajek,  PlotPaths,  Sci2  Tool,  The  Web  Stalker,  and  WebFan. 
FlowScan  examines  flow  data  and  maintains  counters.  Impure  accesses  multiple  data 
sources.  JUNG  provides  filtering  mechanisms.  NodeXL  provides  dynamic  filtering  and 
powerful  vertex  grouping.  Pajek  extracts  vertices,  shrinks  vertices,  and  finds  clusters  in 
networks.  PlotPaths  assigns  x  and  y  coordinates  to  nodes  then  arranges  them.  Sci2  Tool 
does  preprocessing,  visualization,  modeling,  network  extraction,  and  analysis.  The  Web 
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Stalker  reads  and  manipulates  information.  WebFan  allows  direct  navigation  through 
network  data.  These  visualization  tools  aid  in  providing  filtering  and  data  selection  for 
analysts’  tasks. 

•  Visualization  needs  “A5”and  “A6”  may  be  accomplished  by  using  visualization  tool 
GTrace.  GTrace  uses  methods  to  either  determine  or  guess  at  the  physical  location  of  a 
node  in  trace  route  path.  This  capability  may  be  used  to  visualize  characterization  of 
attacks,  attacker,  and  identity  of  legitimate  user  for  analysts’  tasks. 

•  Visualization  need  “A7”  may  be  accomplished  by  using  visualization  tool  Igraph.  Igraph 
creates  and  manipulates  directed  and  undirected  graphs.  This  capability  allows  for  easy 
switching  between  perspective  views.  It  addresses  what  is  interesting  to  look  at  for 
analysts’  tasks. 

•  Visualization  need  “A8”  may  be  accomplished  by  using  visualization  tools  Cichild,  GGobi, 
NAViGaTOR,  PathFinder,  SemaSpace,  Visualization  Library,  and  VTK.  Cichild  provides 
3-D  representation  layouts.  GGobi  allows  touring  in  high  dimension.  NAViGaTOR 
displays  networks  in  2-D  and  3-D.  PathFinder  shows  customers  navigation  paths  in  3-D 
visualization.  SemaSpace  creates  interactive  graph  layers  in  2-D  and  3-D.  Visualization 
library  has  high  performance  2-D  and  3-D  graphic  applications.  VTK  creates  3-D  graphics. 
These  visualization  tools  provide  capabilities  for  multiple  dimensions  beyond  2-D  aiding 
analysts’  tasks. 

•  Visualization  needs  “A10”and  “A1 1”  may  be  accomplished  by  using  visualization  tools 
Axiis,  Cichild,  GeoPlot,  GGobi,  GINY,  Jgraph,  LANET-Vi,  NetDraw,  Processing  JS, 
Protovis,  and  TouchGraph.  Axiis  provides  visualization  components,  abstract  layouts,  and 
create  unique  visualizations.  Cichild  does  animation  of  bar  charts,  vertex,  and  edge  graphs. 
GeoPlot  plots  a  set  of  nodes  and  a  set  of  lines  that  connects  to  an  image  specified  by  the 
user.  GGobi  provides  high  dynamic  and  interactive  graphics.  GINY  an  interface  layer  is 
useful  for  building  graphical  objects.  Jgraph  has  a  selection  of  layouts  including 
hierarchical  layouts,  organic  layouts,  and  tree  layouts.  NetDraw  has  multiple  options  to 
represent  data  including  direct  manipulation  and  interactive  styles.  Processing  JS  does 
topology,  math,  shapes,  structures,  and  rendering.  Protovis  does  animation,  behaviors, 
layouts,  and  relationships.  TouchGraph  uses  text  and  numerical  attributes  to  associate  with 
nodes  and  edges.  These  visualization  tools  provide  representations  for  nodes,  routers,  and 
particular  timeline  of  events  for  analysts’  tasks. 

The  “Visualization  Needs  for  the  Response  Phase”  chart  has  been  coded  for  ease  in  readability  in 
the  bar  graph  below  reflecting  the  actual  number  of  tools  that  are  capable  of  meeting  that 
particular  need  in  the  Response  Phase  (refer  to  table  12  and  figure  5). 
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Table  12.  Visualization  needs  for  the  response  phase. 


Visualization  Needs  for  the  Response  Phase 

R1 

Suggestion  for  response  action 

R2 

Incident  reporting 

R3 

Annotation/feedback  to  facilitate  future  analysis 

R4 

Saving  views 

R5 

Flistorical  display 

R6 

Reporting  data  transfer 

R7 

Visualize  identified  attacks  and  attackers 

R8 

Visualize  malicious  actor 

R9 

Visualize  compromised  systems 

RIO 

Visualize  an  intended  attack  through  trace  back 

Compatibility  Assessment  for  Response  Phase 

R1 

R2 

R3 
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Figure  5.  Visualization  tools  for  the  response  phase  chart. 

The  overall  applicability  of  the  surveyed  visualization  tools  proved  to  meet  the  visualization 
needs  for  analysts’  task  in  the  Response  Phase  were  seven  tools.  Visualization  need  “R2”  may  be 
accomplished  by  using  visualization  tools  AutoFocus,  FlowScan,  Sci2  Tool,  and  Visone. 
AutoFocus  produces  reports.  FlowScan  does  analyses  and  produces  reports  for  NetFlow  format 
data.  Sci2  Tool  provides  database  functionality,  has  a  scheduler  and  does  preparation.  Visone  has 
a  nice  publication  quality  for  exports  and  is  good  for  reporting.  These  tools  aid  in  providing 
capabilities  to  make  incident  reporting  more  effective  for  analysts’  tasks. 
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Capability  assessment  for  the  following  visualization  need(s)  for  analysts”  tasks: 

•  Visualization  need  “R3”  may  be  accomplished  by  using  ClojureAtlas.  This  tool  can  access 
documentation,  provide  sources,  and  view  relationships  visually.  ClojureAtlas  is  a  good 
visualization  tool  in  that  its  capabilities  aid  in  documenting  and  reporting  an  attack. 

•  Visualization  need  “R6”  may  be  accomplished  by  using  GUESS,  and  FlowScan.  GUESS 
imports  and  exports  standard  formats  usable  for  reporting  and  data  transfer.  FlowScan 
analyzes  and  reports  on  NetFlow  format  data.  Both  of  these  tools  make  reporting  data 
transfer  simpler  and  possible. 

The  “Visualization  Needs  for  the  Future  Development  Phase”  chart  has  been  coded  for  ease  in 
readability  in  the  bar  graph  below  reflecting  the  actual  number  of  tools  that  are  capable  of 
meeting  that  particular  need  in  the  Future  Development  Phase  (refer  to  table  13  and  figure  6). 


Table  13.  Visualization  needs  for  the  future  development  phase. 


Visualization  Needs  for  the  Future  Development  Phase 

FD1 

Allow  others  to  view  current  attacks 

FD2 

Integrate  real-time  (dynamic)  animation 

FD3 

Connect  global  resources  visually 

FD4 

Increase  collaboration  capabilities 

FD5 

Incorporate  data  and  report  sharing  on  various  networks 

Figure  6.  Visualization  tools  for  the  future  development  phase  chart. 
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The  overall  applicability  of  the  surveyed  visualization  tools  that  proved  to  meet  the  visualization 
needs  for  analysts’  task  in  the  Future  Development  Phase  were  seven  tools.  Visualization  need 
“FD3”  may  be  accomplished  by  using  visualization  tools  GUESS,  NVIVO,  and  Visone.  GUESS 
works  with  other  systems  such  as  JUNG,  Prefuse,  and  TouchGraph.  NVIVO  allows  import  to 
YouTube  videos,  social  network  posts,  and  working  collaboration  with  Web  pages  or  online 
PDFs.  Visone  does  import  and  export  of  standard  file  formats  for  social  network  data  and  this 
capability  can  be  applied  to  the  network  security  domain.  These  tools  aid  in  sharing  resources  to 
foster  global  data  transmission  for  analysts’  tasks. 

Capability  assessment  for  the  following  visualization  need(s)  for  analysts’  tasks: 

•  Visualization  need  “FD4”  may  be  accomplished  by  using  visualization  tools  GUESS, 
NVIVO,  Visone,  PeopleGarden,  SemaSpace,  SocSciBot,  and  ThinlcMap.  PeopleGarden  is 
useful  for  threaded  discussion  spaces  but  needs  to  be  incorporated  into  a  communication 
medium.  SemaSpace  can  incorporate  additional  data  such  as  images,  sounds,  and  full  texts 
into  a  communication  medium.  SocSciBot  exports  network  diagrams  to  Pajek  and 
UCINET.  This  capability  can  be  tweaked  to  extend  to  more  databases  and  global  resources. 
ThinkMap’s  data-driven  technology  for  Web  applications  may  be  incorporated  into  a 
communication  medium  for  ease  of  access  to  data.  These  tools  aid  in  providing  an 
environment  for  global  collaboration  and  effective  reporting. 


In  summary,  out  of  the  forty-one  visualization  needs,  the  surveyed  visualization  tools  met 
twenty-five  of  them  and  sixteen  of  them  were  unmet.  See  figure  7. 


Capability  Performance  for  Analysts' Tasks 
Visualization  Needs 


■  Visualization  Needs 
Met 

■  Visualization  Needs 
Unmet 


Figure  7.  Visualization  tools’  overall  capability  performance  meeting  analysts’  needs. 
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7.  Conclusions 


In  this  report,  we  evaluated  which  capabilities  of  existing  visualization  tools  truly  meet  analysts’ 
needs.  Of  the  fifty-nine  visualization  tools,  grouped  as  CAIDA  tools,  Visual  Programming 
Language  tools,  Visual  software  Packages  and  Kits,  Visualization  Library  tools,  Graphical  Data 
Representation  tools,  and  Innovative  Visualization  tools  proved  that  61%  of  the  visualization 
needs  for  analysts’  tasks  could  be  met.  Surprisingly,  39%  of  the  visualization  needs  for  analysts’ 
tasks  remain  unmet.  Our  findings  demonstrate  an  immediate  need  for  the  development  of 
visualization  tools  that  can  address  the  remaining  visualization  needs.  This  assessment  pinpoints 
the  need  for  improved  user  interfaces  or  environments  for  analysts  who  perform  network  security 
tasks.  The  survey’s  findings  enable  knowledge  superiority  over  the  malicious  attackers  for  the 
entire  network  security  community.  This  survey  can  be  used  to  promote  future  work  in  testing 
and  confirming  that  the  identified  61%  of  surveyed  visualization  tools  truly  meet  visualization 
needs  for  analysts’  tasks.  This  assessment  also  drives  ideas  for  innovative  development  and 
integration  with  other  techniques  in  ensemble  to  aid  IDS  with  analysts’  tasks. 
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